Archive for March, 2011
Is there a chaos in Digital Forensic? (via Notes)
Marian Svetlik makes some good points about the state of our industry in his latest jottings.
via Notes
Read Full Post | Make a Comment ( None so far )Twits in court
Here’s an interesting one – a friend of mine was giving evidence in crown court today and has just sent a text message to say that a journalist mentioned their name on Twitter.
Not so surprising ? Their name will probably appear in the press reports in tomorrow’s paper anyway. Well, yes – except for one thing. The tweeting was happening in real time. As the witnesses were being cross-examined a journalist was relaying highlights directly from the courtroom.
Now – I can’t help but wonder what effect this could have on the testimony of a witness who has yet to be called and who is being kept away from the court in a witness room. Usual practice calls for witnesses to give their evidence without hearing anyone else’s to ensure that they have not been influenced by anything that has happened in the court (with the exception of “experts” who have been granted the privilege of sitting in court to advise counsel).
Mobile data networks and blogging sites, of course, can completely destroy this isolation – witnesses can be sitting in the witness room receiving selected detail of the evidence as it is presented, possibly very carefully filtered by someone who really wants to influence them.
In this case, I don’t think that’s what happened – it’s just yet another instance of someone using a technology without thinking through the consequences.
Perhaps it’s time to revisit the issue of technology in court – cameras have been banned almost since they were invented – perhaps we need a blanket ban on everything which can communicate with the outside world, in the interests of impartiality and fairness for all ? Perhaps news, just like travel and food, would be better for being a little slower ?
Read Full Post | Make a Comment ( 1 so far )Ready or not ?
In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.
While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.
By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.
So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?
Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.
I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.
There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.
If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.
P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.
Read Full Post | Make a Comment ( 1 so far )Contracting
Just recently I’ve been having discussions about possibly becoming a contractor for a little while and it’s thrown up a question that’s haunted me ever since I started examining other people’s computers.
I’m a fan of open-source software and I really do believe that one of the benefits I offer as a consultant is the fact that I don’t use the same examination kit as everyone else. It means that when I check their results or they check mine we are using significantly different tools, and mine are open for anyone to scrutinise at the source-code level. So, if we find a discrepancy we can dig deep into at least one the tools, if necessary, to find the reason why. It’s proper dual-tooling, or as close as we can get for now.
Now, in the past I’ve had to explain this (because there are two or three tools that everyone expects to see and eyebrows are raised when I don’t mention them ) but it has never stopped me getting an expert witness job. The critical word there is “expert” – in that role I am supposed to exercise my judgment to select the best tools and methods for the job.
However, a contractor is different creature – if I do get offered this job, I have to fit into someone else’s working environment and do things their way with their tools. I can do it. In my academic life I had to learn new skills, tools etc. very quickly and be able to teach them to other people. It’s a knack that a good lecturer picks up soon, or they don’t survive in labs. for long. The question is, will the client believe I can do it or will they wait until they find someone with the right piece of paper instead ?
My argument, for what it’s worth, is that I can learn the tool quickly and, because I have a background in computer science and am used to creating little ad-hoc tools whenever I need them, I can check the tool’s results in a way that someone who just know the program might not be able to.
We shall see.
Meanwhile, in the world of standards and regulation things have gone quiet in the Regulator’s office. His contract has been extended for another 3 years, but I rather think he’s suffering from budget cuts elsewhere. No matter, plans are well underway for the next ISO meeting in Singapore where we will be trying to get some new work approved to go beyond the current ISO/IEC 27037 and ensure we have guidance for a complete process from planning through acquisition to analysis, with proper validation all the way through.
Read Full Post | Make a Comment ( 4 so far )
Forensically sound(ing off) 